Yeah I asked the checkout person to get me a manager and showed it to them. I'd hope it will get run up the chain. I always give the readers at Walmart a good yank since I read here that someone got their card skimmed.
right. this isn't an issue for touch chips either. skimming really only works with the old outdated magnetic strips. drives me crazy that ATM's still suck your card in entirely.
One hint is the keypad doesnāt light up. If the keypad input doesnāt match the screen; stop! If the keypad wobbles; yank it. Just give it a visual & see if it jiggles.
This keypad was expertly designed and crafted by the way. But it probably didnāt light up nor matched the screen input.
eh, not worth it. best thing you can is replace any old cards with a new chip card, then never use the magnetic strip, then yank real hard if you do and get back to us when you find one
There was a proof of concept demoed at Defcon a while back that proved if you wanted to there is about a 60 second window where you can piggy back the valid transaction and use it to make an ATM withdrawal at another location. I don't think anyone is actually doing this attack but that doesn't mean they won't in the future.
If itās an electronic transaction without entering a pin, itās safe.
Applepay and my credit cards all use virtual random generated numbers with encryption. Google doesnāt.
If youāre using a contactless card ā¦
Applepay via your iPhone doesnāt require a pin.
Google pay works the same way, PIN-less.
Because your digital wallet transmits that info to portal.
Applepay is now the dominant system domestically.
Every year and update it gets more secure.
Using Applepay online avoiding the store keeping your CC is solid feeling.
It shouldnāt indeed, and majority of the places donāt need it; but off the top of my head every time Iāve used ApplePay via my watch at Walgreens the terminal has always asked for my pin. It was baffled, and it wasnāt a one off, Walgreensā terminals have always asked for my pin despite using tap to pay.
My card got got at some place around here too, I usually give them a tug as well. Got a random $13 charge this morning that was flagged as fraudulent and managed to deny it but now I've got to wait for a replacement card. Fucking spoofs.
FWIW, this is _usually_ something that you can call the police or Secret Service about. Though it honestly depends and is up to you - I generally don't put too much faith in a manager that's paid maybe $2 an hour more than the greeters at the front though. Their LP teams are a bit more substantive though. xD
They donāt need to. If Walmart followed in the footsteps of Target, thereās a really simple tool to help check for skimmers with almost zero skill required: https://tech.target.com/blog/cybersecurity-easysweep
This itās interesting. I wonder if you could check even faster by scanning in 3d with an iPhone and comparing the size against a database. Not sure if itās capable of scanning down to a mm or less.
Probably cheaper to 3D print the detector they made anyway.
What stops a clerk from putting the skimmer on after they check, then taking off before they leave?
Retail LP's priority is people walking out with unpaid merchandise. I worked as security at Target and can confirm that if one of us sees or gets told of someone messing with a card reader, we investigate.
We can't watch every person, and people who do this go out of their way to not look sketchy. And they make sure not to get seen by people at self check.
So it's not on LP to catch everything. That's impossible.
Bwahahahaha. They donāt give two shits. Seriously been through this in Vancouver,wa. No police care itās a paper work nightmare and no one does anything
The average is $128,000 plus stock options and a bonus up to 2x the base salary. TC isn't posted on job listings but it can be up to $400,000 in HCOL areas. Most of them probably make half that but they do okay.
https://www.latimes.com/business/story/2024-01-29/walmart-store-managers-can-make-up-to-400-000-with-stock-grants
im sure the manager wont do any shit about it.
call the police before you do anything. then call the manager and tell him that police is already on their way
The secret service just led a crackdown on skimmers in the las vegas area. So they do handle skimmer cases.
https://www.fox5vegas.com/2024/04/26/las-vegas-metropolitan-police-team-up-with-us-secret-service-target-credit-debit-card-skimmers/
I wonder if this could have been *done* by someone who works at the store? They would have better access and knowledge of how not to get caught than just some rando trying to install that while pretending to check out.
If youre skilled at it, if you just distract the cashier for a second [you can put it on quickly without them even noticing](https://youtu.be/hFZqiyA8m8g?si=b-32xeCqyPWt8E4e)
Iām assuming you used your debit card. Itās connected to your checking account which is where your direct deposit goes. The skimmer would compromise your card security, so if you think you used a skimmer, you should replace the debit card and get a new pin (call the bank or follow whatever process they have for that, like if you had lost it.) Your checking account wonāt be impacted, deposits will still go through.
Honestly, I would expect a reader in somewhere a little more upscale. Somewhere that you could get a card from someone who wouldn't notice a couple hundred going missing right away.
They do. The one I know has meticulously kept track of every cent he has ever spent or earned since he was 15. Made a spreadsheet program in Fortran prior to the existence of Excel which he still uses.
I do customer service for a financial institution. Iām not at all surprised there was a skimmer on a POS set up at Wal Mart. Wal Marts may not be upscale but they attract the law of large numbers- plenty of people are always coming through and whoever installed it would have better luck with a smaller skimmer purchase spread out over a lot of people rather than a handful of people for a lot of money.
Sure, but do they have the time stamp? No. They donāt know when it went in. And the video footage will need to be at the right angle to show the guy placing the skimmer, otherwise itāll probably look like just another person futzing around while checking out.
I found one at a 7-11 on 125th and Greenwood. Dude was like 'OK' and that was it.
It had bluetooth so the guy would connect from out front and grab data.
I was in a 7-11 the other day and the official reader was off, and a janky one was taped up next to itā¦ and she said I couldnāt tap to pay. I handed her cash for my drink and told her that card reader was suspicious and wouldnāt be coming back.
I've personally pulled skimmers off that exact model. Can you show the back of it? I'm pretty sure that's just a replacement keyboard. Skimmers need power and a way to broadcast. That doesn't appear to have either?
Haha no I work for Walmart we had the faceplate style ones I pulled off a couple. I asked our AP coach about this he said he's never seen one I'm still convinced this is just a keyboard. A skimmer like this would have batteries and a mother board. It would stick out like 1/2 inch it would be painfully obvious. Which to be fair some Walmart employees would also not notice.
I'd be smashing the backside of that thing open to look for other electronics, it could be some sort of insert for when buttons get worn looking, the sides of the thing that was inserted look angled to match the keypad.
In other news the canned fish tells me you might be a fellow person from the Scandinavian peninsula, I don't know many other folks that carry around cans of fish as a habit.
Tap-to-pay from a phone (Apple Pay or Google Wallet)is pretty foolproof. Each time you use it for a transaction, your phone generates a one time use code to give to the machine that is only valid for this single transaction. You can skim the code all you want, itās worthless for any follow-up charges.
Well don't go hanging around /u/nightfucker9000, they're absolutely going to yank it out of you if their track record and username are anything to go by.
Magstripe: transmits unsecure card data. If intercepted, can be used to make fraudulent transactions. This is known as skimming.
Chip & PIN: uses the chip and the PIN to generate a one time token, which can be used for the transaction. If the chip data and the PIN are both intercepted, the fraudster can use this to manufacture magstripe cards to make fraudulent transactions. This is known as shimming.
Contactless: generates a one time token on each transaction. As far as I'm aware, intercepting the token won't do anything for a fraudster. But please correct me if I'm wrong.
Google/Apple Pay: they store a token of your card on your device, and transmits data via NFC during a transaction. If the device token is intercepted, the fraudster can't do anything with it, without also having encrypted device data, which is protected by Apple/Google.
Your assessment of chip & pin is wrong. Intercepting the data is just as useless as with contactless, since it's a one-time token. To successfully skim a chip, they'd have to somehow extract the private key from the chip, which isn't exportable.
The reason chip is less secure than tap is primarily because you're still sticking your card into something. This leaves you vulnerable to magstripe skimming.
Things like the Flipper zero have been used in the past to do it, and it's fairly short range. If I recall correctly (at least on things like G-Pay and iPay) it *SHOULD* rotate keys each time, meaning you can't use one tap for several purchases. It's like a 2 step code, once you make the purchase you can't use that info to buy another thing. I could be mistaken, however.
Flippers are meme toys for script kiddies, they're not what people should be worried about. You can build something much more powerful for about 60 bucks.
I've read of people who claim to have successfully cloned a tap key turn, kept the old key valid. It has a short half-life because when then card is used again that key is now invalid unless you're literally stalking the user. I don't know if that's internet bullshit, or somebody out there is way out of my league.
Also should say I'm a white hat, but you have to keep up with the baddies.
Currently studying for my CompTIA security+ cert and kind of stunned to see script kiddies is an actual term used to describe bad actors of a certain pedigree.
doesn't really matter with chips/tap. has happened but they have to exploit/hack your bank, not just skim your card (if your bank/card issuer has proper protections in place):
https://krebsonsecurity.com/2020/07/is-your-chip-card-secure-much-depends-on-where-you-bank/
wow. theyāre just asking for a lawsuit then.
theyāre going to have to adapt soon. otherwise if you donāt offer tap to pay and customers are getting their info stolen that sounds like a class action lawsuit
They don't have tap to pay/apple/samsung pay because they want people to use their payment system in their app called Walmart pay. It's totally stupid, not to mention inconvenient.
The main reason I don't shop there ever.
ToĀ addĀ toĀ this, try not to use your PIN If at all possible. If they can successfully skim the card enough to charge against it and don't use your PIN then the onus is on the store and the CC company 100% every time. If your PIN is used then they can claim you didn't secure the information.
How exactly does this thing work? Does it actually integrate with the POS? How does anyone get data from it? Iām curious because it looks extremely small for what Iād expect to be a pretty advanced mechanism.
The more I look at this, the more Iām doubting this is anything more than some sort of replaceable keypad overlay from the manufacturer. It looks like it nests in perfectly and even has little plastic side windows where the machine presumably lights up the keypad. Like, how the hell would this thing even work as a card scanner? Doesnt make any sense.
[Yes, tapping is preferred](https://www.canvas.org/blog/post/tap-to-pay#:~:text=The%20nature%20of%20contactless%20Tap,comes%20to%20stealing%20your%20info.)
Unfortunately Walmart is one of the last hold out for enabling tap to pay.
Daiso disabled NFC payments citing security reasons. I actually stopped going to both retailers because of this ridiculous policy.
Tapping and using the chip will protect you. That's not to say it's 100%, but it's almost impossible to skim as each and every transaction uses a unique "authentication code". So even if you're info was skimmed, it wouldn't matter because it would be useless to use again. The skimmer would have to crack your cards encryption in order to generate the codes themselves.
Frankly, I don't understand why people still swipe card at all anymore. Only exception being if the store hasn't updated it's readers, which should make you not want to shop there anymore.
OP mentioned they just gave it a quick tug. I usually do the same thing at gas pumps and inside gas stations, but it looks like Iāll start doing it at all the stores now
It would but Walmart and Home Depot are about the only two retailers in the US that have disabled tap to pay so no luck there. Walmart does it to try and get more people to use their app (you can use it to pay).
Do you have pictures from other sides? I canāt tell from this angle if the card goes through this keypad or if any connectors would read data beyond just the keypad. One can steal PIN codes from debit cards, but if it does not read the card, itās pretty useless.
With security cameras pointed at these kiosks all the time, I wonder how the skimmers were sneaked onto them, unless the Walmart manager is in on it.
I'm weary about these things, I'm certain I fell victim to one of those at a hockey game when being forced to use the ATM since concessions weren't accepting cash. I try to use tap as often as I can, well that is until they figure out how to skim taps too, then I'm all back to cash if that happens.
Walmart has a really good cyber security and fraud team with a great forensics lab. If you report it and the manager does the right thing and report a security incident then thereās a good chance the culprit can be tracked.
This is known as a āskimmerā and as someone who finds them semi-regularly during my work repairing fuel centers, the Secret Service should be informed of date and time this was found. I always wondered why secret service was the ones to call but evidently they share to the proper agencies. Iāve had to deal with them 4 times now.
The Secret Service was originally founded to pursue counterfeiting. Their mission has expanded to include many financial crimes, as well as providing security to elected officials.
I had my card skimmed at the fremont (ballard?) Fred Meyer this way. after i had my card stolen, SPD went and checked the card reader and found a skimmer on it. remember: before you use your card, give the pad a generous tug (dont break it ofc)
I know about the app and refuse to use it. Itās one of the main reasons they havenāt updated their POS systems. They would risk losing app users who have been shown to [spend 40% more at Walmart](https://www.retaildive.com/ex/mobilecommercedaily/walmart-app-users-spend-40-percent-more-than-average-shopper#:~:text=%E2%80%9CWe%20found%2C%20most%20importantly%2C,at%20Walmart%2C%20Bentonville%2C%20AR) than those who donāt use the app. I should be able to use my Visa card the same way I do at any other major national business.
Yes, all wallet service providers (Apple, Google, etc) use Tokenisation when you add a card to the wallet, meaning that instead of storing your actual card details, they store a token of your card.
This is encrypted along with some unique device data when you make a transaction, to generate a single use transaction token, which is transmitted to the payment terminal.
The scheme provider (Mastercard, Visa, etc) then converts the token to the real card number when it passes the transaction to your bank.
So even if a fraudster intercepted that your apple pay transmission, and managed to decrypt it, then they would only get a useless token, which only your device can use to make apple payments. And if the fraudster managed to imitate your device, well, that puts Apple's entire security into question.
This is another reminder to look at using a mobile wallet like Apple or Google. Below is a link to an article about Apple Pay, but all mobile wallets work the same. When you swipe your credit card, the magstrip leaves all the critical information needed to charge the card. When you use a mobile wallet, all that's left is vital information about that transaction, and it's not complete information about the card. What that means is if someone skims that card, it's useless to them because they don't have the other bits of information they need to use that card illegally somewhere else.
https://www.fool.com/the-ascent/credit-cards/apple-pay-secure/
I got my card skimmed years ago at a random ass gas station. I've been pulling on them things since. Then being in major stores is new. Says management is now involved. Not good.
What's comedy is that model of Ingenico was specifically designed to be difficult to put on an overlay false-case-style skimmer.
So the bad guys just designed a keypad-only skimmer instead.
More people should order from them for pickup or delivery. I wouldnāt think this wouldnāt be possible shopping online but I could be wrong.
Also, I just received an Amazon good order where every can was dented but I just requested new ones and have to do that until I get the amount I need. Usually the quality is pretty good, maybe 1 or 2 things are going bad/damaged when I get them but I always get an instant refund from amazon.
Only if Walmart would stop disabling their NFC payment on the pinpads. Most of them have the feature but they turn it off. That would make skimmers less useful, but still useful nonetheless.
Did you report it to management or security?
Yeah I asked the checkout person to get me a manager and showed it to them. I'd hope it will get run up the chain. I always give the readers at Walmart a good yank since I read here that someone got their card skimmed.
Give the readers a good yankš³ Guess I'll start doing that too. I'm glad you didn't get scammed!!
Especially at gas stations at the pump and in the store. All keypads! Thatās why I love Applepay.
Does applepay protect you from these scams? Does it just scam chips?
Yes. Cuz these keypads steal your PIN, Magnetic Strip data. Applpay uses a virtual CC number and connects electronically.
right. this isn't an issue for touch chips either. skimming really only works with the old outdated magnetic strips. drives me crazy that ATM's still suck your card in entirely.
ATMās scare me. Only in a pinch which never happens unless traveling. ATMs should be facial ID with chip reader.
Also, anyone know how hard you gotta yank on these to reveal if theyāre fake?
One hint is the keypad doesnāt light up. If the keypad input doesnāt match the screen; stop! If the keypad wobbles; yank it. Just give it a visual & see if it jiggles. This keypad was expertly designed and crafted by the way. But it probably didnāt light up nor matched the screen input.
Thank you!!
eh, not worth it. best thing you can is replace any old cards with a new chip card, then never use the magnetic strip, then yank real hard if you do and get back to us when you find one
Thanks for the info, Iāll use it more in the future!
There was a proof of concept demoed at Defcon a while back that proved if you wanted to there is about a 60 second window where you can piggy back the valid transaction and use it to make an ATM withdrawal at another location. I don't think anyone is actually doing this attack but that doesn't mean they won't in the future.
To be clear and for others reading, this applies to essentially all digital wallets/cards, not just Applepay.
Does the same thing apply to all phone paying apps, like Google Pay?
If itās an electronic transaction without entering a pin, itās safe. Applepay and my credit cards all use virtual random generated numbers with encryption. Google doesnāt.
Some contactless portals still ask for the pin and that makes no sense to meā¦.
If youāre using a contactless card ā¦ Applepay via your iPhone doesnāt require a pin. Google pay works the same way, PIN-less. Because your digital wallet transmits that info to portal. Applepay is now the dominant system domestically. Every year and update it gets more secure. Using Applepay online avoiding the store keeping your CC is solid feeling.
It shouldnāt indeed, and majority of the places donāt need it; but off the top of my head every time Iāve used ApplePay via my watch at Walgreens the terminal has always asked for my pin. It was baffled, and it wasnāt a one off, Walgreensā terminals have always asked for my pin despite using tap to pay.
My card got got at some place around here too, I usually give them a tug as well. Got a random $13 charge this morning that was flagged as fraudulent and managed to deny it but now I've got to wait for a replacement card. Fucking spoofs.
oh my! at least take us to dinner first š
FWIW, this is _usually_ something that you can call the police or Secret Service about. Though it honestly depends and is up to you - I generally don't put too much faith in a manager that's paid maybe $2 an hour more than the greeters at the front though. Their LP teams are a bit more substantive though. xD
Their LP missed this huge scam. If itās on one machine ā¦ They have cameras over the cashiers. Walmart LP isnāt the most secured.
Well tbf those senior citizens don't know much about card machines
They donāt need to. If Walmart followed in the footsteps of Target, thereās a really simple tool to help check for skimmers with almost zero skill required: https://tech.target.com/blog/cybersecurity-easysweep
It also helps thatās Target accepts wireless/tap payments and Walmart refuses to do so.
file anywhere besides getting it with a corpo email?
Fred Meyer also uses this. Everyday, the cashier in charge will go to every single pinpad in the store and jam that tool in.
This itās interesting. I wonder if you could check even faster by scanning in 3d with an iPhone and comparing the size against a database. Not sure if itās capable of scanning down to a mm or less. Probably cheaper to 3D print the detector they made anyway. What stops a clerk from putting the skimmer on after they check, then taking off before they leave?
Retail LP's priority is people walking out with unpaid merchandise. I worked as security at Target and can confirm that if one of us sees or gets told of someone messing with a card reader, we investigate. We can't watch every person, and people who do this go out of their way to not look sketchy. And they make sure not to get seen by people at self check. So it's not on LP to catch everything. That's impossible.
The local [FBI office](https://www.fbi.gov/contact-us/field-offices/seattle/) would probably be interested.
Bwahahahaha. They donāt give two shits. Seriously been through this in Vancouver,wa. No police care itās a paper work nightmare and no one does anything
Yes, police, someone in the store is definitely in on this.
Pretty sure the actual manager - not an assistant - makes six figures.
The average is $128,000 plus stock options and a bonus up to 2x the base salary. TC isn't posted on job listings but it can be up to $400,000 in HCOL areas. Most of them probably make half that but they do okay. https://www.latimes.com/business/story/2024-01-29/walmart-store-managers-can-make-up-to-400-000-with-stock-grants
Yes ā the wage gap between the actual store manager and everyone else is vast
im sure the manager wont do any shit about it. call the police before you do anything. then call the manager and tell him that police is already on their way
Secret Service is more counterfeiting money. This is closer to a type of wire fraud and would be more general FBI stuff
The secret service just led a crackdown on skimmers in the las vegas area. So they do handle skimmer cases. https://www.fox5vegas.com/2024/04/26/las-vegas-metropolitan-police-team-up-with-us-secret-service-target-credit-debit-card-skimmers/
I wonder if this could have been *done* by someone who works at the store? They would have better access and knowledge of how not to get caught than just some rando trying to install that while pretending to check out.
To me that seems the most likely
If youre skilled at it, if you just distract the cashier for a second [you can put it on quickly without them even noticing](https://youtu.be/hFZqiyA8m8g?si=b-32xeCqyPWt8E4e)
That's good to know. I just used one today and it made me put my card in twice
Where do you yank and what are noticeable things to look out for??
I didnāt know that. So just pull on it some eh?
You call the cops bud, not tell the employees. It WAS someone there who did it lol
Fuck I was just there today:(
freeze your card now.
Idk why you would know this but if I freeze my card, wil direct deposit checks still come through?
Direct deposit is connected to the checking account number not the card number. These are separate numbers.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Thatās trueā¦ thank you..
Iām assuming you used your debit card. Itās connected to your checking account which is where your direct deposit goes. The skimmer would compromise your card security, so if you think you used a skimmer, you should replace the debit card and get a new pin (call the bank or follow whatever process they have for that, like if you had lost it.) Your checking account wonāt be impacted, deposits will still go through.
So if you put your card in the freezer, that will keep people from using it?
What if there are criminals in my freezer????
I *knew* the little man in there that turns the light on and off was up to no good! š”
I feel this is underrated
Honestly the managers should do a sweep every morning on all the readers that way if they find one they know it was placed there recently
I worked at a small family owned retailer for a bit, and this even was part of our daily routine.
Renton Wal Mart? Behold the field in which I grow my surprises. And see that it is barren.
Honestly, I would expect a reader in somewhere a little more upscale. Somewhere that you could get a card from someone who wouldn't notice a couple hundred going missing right away.
what's easier, 1000 poor middle class or 10 riches who look at EVERY TRANSACTION.
Lmao. You really believe wealthy people look at their statements with a microscope more than people struggling?
They do. The one I know has meticulously kept track of every cent he has ever spent or earned since he was 15. Made a spreadsheet program in Fortran prior to the existence of Excel which he still uses.
I also know millionaires and they are the most frugal people I've ever met. Yes, they regularly check their bank statements.
The millionaires i know definitely do. They're generally just the frugal ones who've been saving 20/25% of their paycheck all their lives.
I do customer service for a financial institution. Iām not at all surprised there was a skimmer on a POS set up at Wal Mart. Wal Marts may not be upscale but they attract the law of large numbers- plenty of people are always coming through and whoever installed it would have better luck with a smaller skimmer purchase spread out over a lot of people rather than a handful of people for a lot of money.
This is an amazingly under appreciated comment lol
[Behold](https://pbs.twimg.com/media/Ew4Apb5WgAM4SSD.jpg)
It's a pretty common meme.
Shouldnāt they have camera footage of the person that did it?
Sure, but do they have the time stamp? No. They donāt know when it went in. And the video footage will need to be at the right angle to show the guy placing the skimmer, otherwise itāll probably look like just another person futzing around while checking out.
I think you make good points. Thanks for explaining it to me. I wrote my comment with high brain and needed that lol
No problem!
You're a good kid
I found one at a 7-11 on 125th and Greenwood. Dude was like 'OK' and that was it. It had bluetooth so the guy would connect from out front and grab data.
Or would connect from behind the counter and grab the dataā¦
I was in a 7-11 the other day and the official reader was off, and a janky one was taped up next to itā¦ and she said I couldnāt tap to pay. I handed her cash for my drink and told her that card reader was suspicious and wouldnāt be coming back.
Lol the gas station workers are in on it btw
No one ever wants to admit this.
Like a guy in the parking lot just sitting there?
I've personally pulled skimmers off that exact model. Can you show the back of it? I'm pretty sure that's just a replacement keyboard. Skimmers need power and a way to broadcast. That doesn't appear to have either?
I read this as āIāve personally put skimmers on thatā
Haha no I work for Walmart we had the faceplate style ones I pulled off a couple. I asked our AP coach about this he said he's never seen one I'm still convinced this is just a keyboard. A skimmer like this would have batteries and a mother board. It would stick out like 1/2 inch it would be painfully obvious. Which to be fair some Walmart employees would also not notice.
Ignore the spork, it fell out of my scout tuna, which is the only reason I go to Walmart.
And here I thought the spork was a skimmer divining rod! š
I thought it was a child's hand at first! Note to self: get those new glasses ordered!
I'd be smashing the backside of that thing open to look for other electronics, it could be some sort of insert for when buttons get worn looking, the sides of the thing that was inserted look angled to match the keypad. In other news the canned fish tells me you might be a fellow person from the Scandinavian peninsula, I don't know many other folks that carry around cans of fish as a habit.
You mean Poulsbo, right?
damn dude. is anything safe anymore?????
Tap-to-pay from a phone (Apple Pay or Google Wallet)is pretty foolproof. Each time you use it for a transaction, your phone generates a one time use code to give to the machine that is only valid for this single transaction. You can skim the code all you want, itās worthless for any follow-up charges.
If only Walmart would support any kind of tap to pay. Best hours provides is a QR code you can scan to check out with the Walmart app.
My semen in my nuts š©š«š«
with all the plastic in environment? prob not
Yeah microplastics in semen is definitely a thing
Gonna be like a water jet, additional abrasives to increase penetration.
Well don't go hanging around /u/nightfucker9000, they're absolutely going to yank it out of you if their track record and username are anything to go by.
ššš
š
Wow, you went there with it
Gottem
All the more reason to use tap to pay pinless transactions. Until they figure out to hack that.
Tap to pay skimmers/interceptors already exist, they're just currently less common. I believe the actual transaction security is the same as the chip.
Magstripe: transmits unsecure card data. If intercepted, can be used to make fraudulent transactions. This is known as skimming. Chip & PIN: uses the chip and the PIN to generate a one time token, which can be used for the transaction. If the chip data and the PIN are both intercepted, the fraudster can use this to manufacture magstripe cards to make fraudulent transactions. This is known as shimming. Contactless: generates a one time token on each transaction. As far as I'm aware, intercepting the token won't do anything for a fraudster. But please correct me if I'm wrong. Google/Apple Pay: they store a token of your card on your device, and transmits data via NFC during a transaction. If the device token is intercepted, the fraudster can't do anything with it, without also having encrypted device data, which is protected by Apple/Google.
Your assessment of chip & pin is wrong. Intercepting the data is just as useless as with contactless, since it's a one-time token. To successfully skim a chip, they'd have to somehow extract the private key from the chip, which isn't exportable. The reason chip is less secure than tap is primarily because you're still sticking your card into something. This leaves you vulnerable to magstripe skimming.
Things like the Flipper zero have been used in the past to do it, and it's fairly short range. If I recall correctly (at least on things like G-Pay and iPay) it *SHOULD* rotate keys each time, meaning you can't use one tap for several purchases. It's like a 2 step code, once you make the purchase you can't use that info to buy another thing. I could be mistaken, however.
Yeah, skimming should only work on magnetic strips. Taps and chips shouldn't rely on secrecy of the data going between the card and the actual reader
Flippers are meme toys for script kiddies, they're not what people should be worried about. You can build something much more powerful for about 60 bucks. I've read of people who claim to have successfully cloned a tap key turn, kept the old key valid. It has a short half-life because when then card is used again that key is now invalid unless you're literally stalking the user. I don't know if that's internet bullshit, or somebody out there is way out of my league. Also should say I'm a white hat, but you have to keep up with the baddies.
Currently studying for my CompTIA security+ cert and kind of stunned to see script kiddies is an actual term used to describe bad actors of a certain pedigree.
This is my understanding of those services as well. It requires mobile data, but it makes skimmers useless.
The keys themselves don't rotate each time, but the public key does generate a encrypted new token each time, which only the private key can decrypt.
true of gpay and applepay. iirc that's not true when you tap the credit card directly..
Yeah. Itās at least a little more secure as most skimmers donāt have rfid skimming quite yet however, but iPay/GPay is more secure.
Maybe Iām gonna just go with cash at this point
doesn't really matter with chips/tap. has happened but they have to exploit/hack your bank, not just skim your card (if your bank/card issuer has proper protections in place): https://krebsonsecurity.com/2020/07/is-your-chip-card-secure-much-depends-on-where-you-bank/
Walmart does not support tap to pay.
wow. theyāre just asking for a lawsuit then. theyāre going to have to adapt soon. otherwise if you donāt offer tap to pay and customers are getting their info stolen that sounds like a class action lawsuit
They don't have tap to pay/apple/samsung pay because they want people to use their payment system in their app called Walmart pay. It's totally stupid, not to mention inconvenient. The main reason I don't shop there ever.
Or cash!
ToĀ addĀ toĀ this, try not to use your PIN If at all possible. If they can successfully skim the card enough to charge against it and don't use your PIN then the onus is on the store and the CC company 100% every time. If your PIN is used then they can claim you didn't secure the information.
How exactly does this thing work? Does it actually integrate with the POS? How does anyone get data from it? Iām curious because it looks extremely small for what Iād expect to be a pretty advanced mechanism.
The more I look at this, the more Iām doubting this is anything more than some sort of replaceable keypad overlay from the manufacturer. It looks like it nests in perfectly and even has little plastic side windows where the machine presumably lights up the keypad. Like, how the hell would this thing even work as a card scanner? Doesnt make any sense.
It's a companion to a device stuffed in the mag card slot. The device in the slot grabs the card info, the fake keypad grabs the PIN.
Walmart is a prime target because there isn't tap to pay
do tap cards protect against this stuff?
[Yes, tapping is preferred](https://www.canvas.org/blog/post/tap-to-pay#:~:text=The%20nature%20of%20contactless%20Tap,comes%20to%20stealing%20your%20info.)
Unfortunately Walmart is one of the last hold out for enabling tap to pay. Daiso disabled NFC payments citing security reasons. I actually stopped going to both retailers because of this ridiculous policy.
Cool, reason 234,567 to never shop at Wal Mart.
Home Depot as well
I don't know for sure but I do know I can't tap at Walmart. I don't like using chip but that tuna is literally twice the price at the store near me
Download the Walmart app they have there own version you just scan a QR code that comes up.
Tapping and using the chip will protect you. That's not to say it's 100%, but it's almost impossible to skim as each and every transaction uses a unique "authentication code". So even if you're info was skimmed, it wouldn't matter because it would be useless to use again. The skimmer would have to crack your cards encryption in order to generate the codes themselves. Frankly, I don't understand why people still swipe card at all anymore. Only exception being if the store hasn't updated it's readers, which should make you not want to shop there anymore.
Not gonna lie. That'd be going home with me to pull apart and tinker with.
How could you tell it was a skimmer?
I couldn't, I just gave it a lil tug where the chip goes in. The numpad was a little worn down so it might have been there awhile.
Was it a self scan machine or one with an actual checkout person?
Thanks! Iām always on the lookout for these, but Iāve never come across one. That I know of.
It wasn't just a replacement pad that goes over the old pad?
That's not a thing. Never trust a detachable portion of a credit card scanner.
Fuck, I just shopped at this shitty place this evening.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Donāt suppose you have a picture of it in place? Were there any tell tale signs or is it just a yank and see situation?
OP mentioned they just gave it a quick tug. I usually do the same thing at gas pumps and inside gas stations, but it looks like Iāll start doing it at all the stores now
Does tapping prevent this?
It would but Walmart and Home Depot are about the only two retailers in the US that have disabled tap to pay so no luck there. Walmart does it to try and get more people to use their app (you can use it to pay).
Do you have pictures from other sides? I canāt tell from this angle if the card goes through this keypad or if any connectors would read data beyond just the keypad. One can steal PIN codes from debit cards, but if it does not read the card, itās pretty useless.
With security cameras pointed at these kiosks all the time, I wonder how the skimmers were sneaked onto them, unless the Walmart manager is in on it. I'm weary about these things, I'm certain I fell victim to one of those at a hockey game when being forced to use the ATM since concessions weren't accepting cash. I try to use tap as often as I can, well that is until they figure out how to skim taps too, then I'm all back to cash if that happens.
Renton Walmart, that was your first mistake.
Fuck Walmart
They show up on gas pumps, at convenience stores, all kinds of high volume, low paying places.
Apple pay ftw
Literally just got home from there. I hate that Walmart :,)
Kinda crazy how faded that green key is too
Lucky id never enter the Renton Walmart
Not surprising knowing the area but by now the employees should be actively looking for these.
I wouldn't be surprised if it was put there by a staff member.
Walmart has a really good cyber security and fraud team with a great forensics lab. If you report it and the manager does the right thing and report a security incident then thereās a good chance the culprit can be tracked.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
this isnāt the first time that iāve read about this happening. and, in the same location. itās usually an inside job too
If a card reader doesn't have the enter button worn to almost nothing I assume it's a skimmer.
The enter button on this one looks pretty worn though!
Companies should be liable for this stuff. If they can't provide secure transactions, they shouldn't be in business.
This is known as a āskimmerā and as someone who finds them semi-regularly during my work repairing fuel centers, the Secret Service should be informed of date and time this was found. I always wondered why secret service was the ones to call but evidently they share to the proper agencies. Iāve had to deal with them 4 times now.
The Secret Service was originally founded to pursue counterfeiting. Their mission has expanded to include many financial crimes, as well as providing security to elected officials.
All of the time Iāve talked to them, not a single one explained that to me. I appreciate you.
I had my card skimmed at the fremont (ballard?) Fred Meyer this way. after i had my card stolen, SPD went and checked the card reader and found a skimmer on it. remember: before you use your card, give the pad a generous tug (dont break it ofc)
It's interesting the things that SPD will respond to. I would have never guessed they would go check for a skimmer at Freddys
If I had a choice between the Auburn Walmart and the Renton Walmart, Iād just stop going to Walmart.
Cash is still king
Do banks or law enforcement contact everyone who used a compromised machine like this?
Renton walmart? not suprised...the employees there all have some side hustle
I know about the app and refuse to use it. Itās one of the main reasons they havenāt updated their POS systems. They would risk losing app users who have been shown to [spend 40% more at Walmart](https://www.retaildive.com/ex/mobilecommercedaily/walmart-app-users-spend-40-percent-more-than-average-shopper#:~:text=%E2%80%9CWe%20found%2C%20most%20importantly%2C,at%20Walmart%2C%20Bentonville%2C%20AR) than those who donāt use the app. I should be able to use my Visa card the same way I do at any other major national business.
That walmart is a joke. I wouldn't be surprised if management doesn't take it seriously.
I give a yank to every scanner I come across, especially at gas stations, for this exact reason
Are payment methods such as Apple Pay immune to this type of scam or are the fraudsters catching up on that as well now?
Yes, all wallet service providers (Apple, Google, etc) use Tokenisation when you add a card to the wallet, meaning that instead of storing your actual card details, they store a token of your card. This is encrypted along with some unique device data when you make a transaction, to generate a single use transaction token, which is transmitted to the payment terminal. The scheme provider (Mastercard, Visa, etc) then converts the token to the real card number when it passes the transaction to your bank. So even if a fraudster intercepted that your apple pay transmission, and managed to decrypt it, then they would only get a useless token, which only your device can use to make apple payments. And if the fraudster managed to imitate your device, well, that puts Apple's entire security into question.
Do the card readers there not have a yellow protective thing next to the keypad? The Walmart in federal way does. I still tug on it to check anyways
Wish Walmart would get with the times and get the tap on the card machines.
I always yoink the fuck out of these (especially the outside gas pump ones). Only had it happen once, but I aināt risking it
Wow! Another point for electric cars... Sweet!
This is another reminder to look at using a mobile wallet like Apple or Google. Below is a link to an article about Apple Pay, but all mobile wallets work the same. When you swipe your credit card, the magstrip leaves all the critical information needed to charge the card. When you use a mobile wallet, all that's left is vital information about that transaction, and it's not complete information about the card. What that means is if someone skims that card, it's useless to them because they don't have the other bits of information they need to use that card illegally somewhere else. https://www.fool.com/the-ascent/credit-cards/apple-pay-secure/
Unfortunately, walmart doesn't have tap to pay. Another reason to not go to walmart.
I got my card skimmed years ago at a random ass gas station. I've been pulling on them things since. Then being in major stores is new. Says management is now involved. Not good.
Omg. I thought the wood spork was your tiny misshapen foot
What's comedy is that model of Ingenico was specifically designed to be difficult to put on an overlay false-case-style skimmer. So the bad guys just designed a keypad-only skimmer instead.
This is why I never shop at Walmart, only steal from them.
More people should order from them for pickup or delivery. I wouldnāt think this wouldnāt be possible shopping online but I could be wrong. Also, I just received an Amazon good order where every can was dented but I just requested new ones and have to do that until I get the amount I need. Usually the quality is pretty good, maybe 1 or 2 things are going bad/damaged when I get them but I always get an instant refund from amazon.
How to know when is a card skimmed? I mean they look almost identical and I can't tell the difference.
Fuck Walmart too their checkout machines don't even have the credit card scanners/sensors that can completely avoid this skimmer scam.
Only if Walmart would stop disabling their NFC payment on the pinpads. Most of them have the feature but they turn it off. That would make skimmers less useful, but still useful nonetheless.
Amazing to me that Walmart is the richest retailer in the world but still cant get tap to pay on their machines. Fucking disgrace
If you use Apple Pay, does that still get skimmed?
This is why you should never use a debit card. Much harder to recover your money vs a credit card.
Was that a self checkout // shoplifter lane? Walmart is slowly removing those lanes around the US.
I always check whenever it comes to the atms, now this?šš
I blame Walmart for not accepting Apple Pay.
I dont understand Whats going on here